New Release: Tor Browser 8.0.8

by boklm | March 23, 2019

Tor Browser 8.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

The main change in this new release is the update of Firefox to 60.6.1esr, fixing bugs found during the Pwn2Own contest.

The full changelog since Tor Browser 8.0.7 is:

  • All platforms
    • Update Firefox to 60.6.1esr
    • Update NoScript to 10.2.4
      • Bug 29733: Work around Mozilla's bug 1532530

Comments

Please note that the comment area below has been archived.

No. We are currently testing the new OpenSSL version in the alpha series. The main reason this got not included immediately in stable is that the fixed issues in OpenSSL are not affecting Tor.

March 23, 2019

Permalink

Every time i start Tor it just says its waiting for Tor to start but after a few minutes it says it cant connect to the Tor control port. I have this issue since a few days ago. Anybody knows whats going on? What can i do?

I got a similar problem. Since the weekend it takes much longer then normal to connect to the Tor-Network. If the browser finally is connected, it takes forever to download a website. I didn't changed a bit on my system. So whats the problem?

March 23, 2019

Permalink

I'm moving the entire internet to Tor. I don't work on Sunday's but I'll start my duty on Monday morning.

Could you please provide more information about the issue you're experiencing? What is the specific problem you're running into? What actions did you complete before the issue occurred? Are you using Tor Browser for desktop, or are you using Tor Browser for Android? Do you see any error messages?

March 23, 2019

Permalink

Just updated Tor. I use DuckDuckGo within Tor. With update, every web search requires a Noscript verification for trust. Is that expected or did the Noscript update that came with the Tor update automatically set that? I didn’t use to get that previously.

March 24, 2019

In reply to boklm

Permalink

thanks

March 23, 2019

Permalink

First off, thanks for the great work that enables people around the world to evade censorship and surveillance.

Now, a question: is it possible to permanently disable or block NoScript's XSS warnings by default?

March 24, 2019

Permalink

boklm & gk, et' al , Thank you for your fast work !

Does this update include Firefox fixes for the security-holes exposed in Pwn-2Own-2019 ??

The security issues disclosed during Pwn2Own were two JavaScript bugs, and two sandbox escape bugs. The JavaScript issues have been fixed by this release, but the sandbox escape bugs will require more work from Mozilla and will be fixed in one of the following releases.

March 24, 2019

In reply to boklm

Permalink

Thank you boklm, you and Team-Tor save the lives of Journalists and NGO's around the world!

Many thanks to the Tor Browser team (and even Mozilla and Pwn2Own) for addressing this issue!

Given that the sandboxing issue is not yet fixed, how vulnerable do you assess TB users to be when they set the security slider to "Safer" until Mozilla fixes that issue?

March 24, 2019

Permalink

my 360 total security detected a trojan on start up when using 8a58 . it tried to auto update on start up to 8a59. jut thought i would warn people

Has that happened for you with previous alpha versions? Heuristics of scanners sometimes alert on bleeding-edge software if those scanners haven't received updates to recognize them. Alpha versions are more likely to be unrecognized. Scan it again in another week or so after updating your scanner's definitions. Or if you don't need the alpha, just use the standard release.

Remember to verify PGP signatures by downloading the sig file from the link under the button on the download page. https://www.torproject.org/docs/verifying-signatures.html.en Also search the web for PGP or GnuPG guides to verify signature files. Many open-source projects ship sig files with their programs, so verifying them is a good skill to learn and to practice.

I was worried when I saw 3 new options in NoScript's settings after the addon updated, but then I was relieved to find that the NoScript change log contains many changes made for Tor and says those new settings are set to defaults specially for Tor. I am happy Giorgio and Tor Project are partnered closely so the asynchronous updates of NoScript don't harm Tor Browser's privacy. Thank you, Giorgio and Tor Project.

March 25, 2019

Permalink

Tor been acting odd for months so today on a whim I stoped by ip-check.info an what I saw was, well, not what I would have expected. RED, everywhere it was RED. Funny thing is after going back again and again all is green, almost. It seems Tor is working better as well, why is that?

Windows 32 bit, updated 4 maybe 5 times.

Hard to say. Is that bad behavior reproducible on your system? If so, could you give us steps to do so? What do you mean by "after going back again and again all is green"? What exactly did you do?

March 25, 2019

In reply to gk

Permalink

I ment after restarting Tor again an again to see if I could reproduce the same outcome. Next time I will be sure to get a screen shot. As of right now ip-check.info says I am using Tor in green instead of red.

ip-check.info currently tells me in red that I am not using Tor, although I am, and the ip it gives me is a relay.

So it seems ip-check.info sometimes has issues to detect Tor ip addresses.

March 25, 2019

In reply to boklm

Permalink

Thank you. I personally never had a problem at that site before (always green) but its good to know I am not alone at lest. heh

March 25, 2019

Permalink

I am using an old Tor Browser Version becaus of my old Windows version. Since this weekend the browser is basiclly useless. I can start it, but the connection to the Tor Network takes much longer than normal. After the connection is etablished, it takes forever to load any website. The Protokoll says:

25.03.2019 09:35:46.600 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
25.03.2019 09:36:22.000 [NOTICE] Bootstrapped 90%: Establishing a Tor circuit
25.03.2019 09:37:09.200 [WARN] Your Guard bonjour1 ($D80EA21626BFAE8044E4037FE765252E157E3586) is failing a very large amount of circuits. Most likely this means the Tor network is overloaded, but it could also mean an attack against you or potentially the guard itself. Success counts are 110/226. Use counts are 85/85. 113 circuits completed, 0 were unusable, 2 collapsed, and 121 timed out. For reference, your timeout cutoff is 60 seconds.
25.03.2019 09:37:22.200 [NOTICE] No circuits are opened. Relaxed timeout for circuit 1 (a General-purpose client 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.

Whats the problem?

https://metrics.torproject.org/rs.html#details/D80EA21626BFAE8044E4037F…
In the log you pasted, your first node (Guard) is named bonjour1, and its fingerprint is the capital hexadecimal string. Enter either of those in the Relay Search or click my link. Look at the "6 Months" history graph at the bottom. The bytes-per-second lines fell sharply after March 22. Something is affecting that guard node. I don't know how to change your guard node except by reinstalling Tor Browser or setting the Bridge options.

> I am using an old Tor Browser Version becaus of my old Windows version.
If Windows 7+ is not possible or wanted, try writing a Live USB or a Live DVD of a Linux distribution such as Tails or another listed in the right-side ranking column on distrowatch.com or search for one by attributes: https://distrowatch.com/search.php A Live distribution runs totally in RAM and will not write or change your hard drives or SSD. You can boot into the Live distro, try it out, shut down, remove the USB or DVD, and boot again to return to your original OS. It won't write or install itself to your HDD or SSD unless you tell it to. Machines exposed to the internet should not be running an outdated OS.

Solution found (at least a little workaround): start your tor browser, Tor sais "Tor-Kanal wird hergestellt/Tor channel...." (I use the german version), wait a few seconds, disable your internetconnection but keep your Tor-browserwindow on screen, enable your internetconnection, press the "verbinden/connect" button in your tor-browser. It seems Tor will now use a diffenernt node. Unfortunately this only works ones. If you close and start your Tor-Browser again, you have still the same problem and you have to do the same procedure again.

Sorry for my bad english :-)

On the one hand, I want to say it shouldn't be allowed to fail hard -- that it should lookup a new guard if it can't connect to the one it used the previous time. But on the other hand, what if you're up against a state adversary who wants you to connect to guards deployed by the state? If it automatically looks up another, it would keep trying until it chooses one the state allows you to connect to, and you wouldn't have a clue of the difference from looking at the connection progress bar except that it took a little longer. It should not be easy to get a different guard node. If it was made easy, there should be a massive warning message.

March 25, 2019

Permalink

2 fixes requested please

First, it always takes several tries to drag the HTTPS-Everywhere icon to the top bar (near noscript). It's so annoying, please fix it.

Second, has the user agent spoofing been fixed in Linux yet?

I am not sure I understand your first problem, the icon should either show up automatically after the second start of a fresh Tor Browser or you should just need to drag it to the toolbar with the usual toolbar customization flow. What's the issue with dragging that icon? And does that happen in a Firefox 60 ESR as well (if you installed HTTPS-Everywhere there?).

Re your second question: I guess you mean https://trac.torproject.org/projects/tor/ticket/28290? That's still open.

March 26, 2019

In reply to gk

Permalink

Is the UA Spoofing referring to;

: about:config

: network.http.referer.spoofSource;false - (Spoof : UA & Referrer)

: privacy.spoof_english;0 - (Request English versions of web pages for enhanced privacy)

March 25, 2019

Permalink

I have fire 66 using Tor browser as a proxy. I have Firefox manual proxy configuration to 127.0.0.1 using port 9150.
while using firefox with youtube (not logged in) what will happen is after a period of time the video will stop and I get a message such as this "An error occurred. please try again later. (playback ID:kVBiM8y1yJcS-duF" but if I go to "recent histroy.." and only "clear logins" it recovers.

This only occurred recently with Youtube within a month.

Obligatory warnings:
"In past times, a user would simply change the internal settings of a particular piece of software to "torify" it, like Mozilla Firefox - eventually as the dangers became more clear, the Tor Browser was created."
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO

"The modified copy of Firefox [in the Tor Browser Bundle] aims to resolve the privacy and security issues in mainline version."
https://www.torproject.org/getinvolved/volunteer.html.en#project-torbro…

"Almost any other web browser configuration is likely to be unsafe to use with Tor."
https://www.torproject.org/download/download-easy.html.en#warning

"In short, using any browser besides Tor Browser with Tor is a really bad idea."
https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser

About your issue, I see errors in Tor Browser like the ones you describe if I leave a YouTube tab open for a long time and then try to play the video. It could be related to Tor changing idle circuits about every 10 minutes and YouTube buffering pieces of the video based on your unique session on the website. When idle circuits change, it could be that YouTube loses track of your session. When the error happens, I note my position in the video and simply refresh the page to get it playing again. That problem has been going on for years. I don't have a "clear logins" because I don't log in to YouTube.

The "clear logins" is from Firefox not youtube.

youtube continues to play even after a circuit change. It happens about 4 to 5 times in a day of continous play and I do not log into youtube.

Library --> History --> Clear Recent History is not clickable in Tor Browser Bundle because the History preferences are set to always start in Private Browsing mode. Deviating from that setting would be considered an advanced customization -- and risky -- in TBB, but the default preferences are set differently in Firefox, so that function is outside the scope of support for TBB.

Your error is seen in all major browsers, not only in Tor Browser. If you had searched the web for the error message in quotation marks, you would find websites reporting it in Firefox, Chrome, Opera, Edge, etc. My guess is that "clear logins" in Firefox deletes login cookies and/or the SSL session. Some websites report the error may instead be caused by the DNS cache or browser addons. Some answers echo the other reply to refresh the page. Moreover, I can't find the exact feature "clear logins", but I did find "Active logins" under "Clear Recent History".

If you configured Firefox to proxy over tor because you have an old OS that Tor Browser no longer supports, then please learn to write a Live USB or a Live DVD with a recent Linux distribution chosen from distrowatch.com. Live USB's boot a desktop environment in RAM and won't write or install themselves to your hard drives unless you say so. Tor Project recommends Tails.

Color Depth, System Fonts and Platform are shown, clicking "Show full results for fingerprinting".
Also, Color depth and Pixel depth of Screen information and Platform of System information are leaked under safe and safer at IP/DNS Detect.
Mac and Linux are used in the tests.

It seems Tor Browser sometimes forcibly accesses discrete GPU in a site, like as Fire Fox. Tor Browser and Fire Fox temporally make OSs hang up at this time. This doesn't happen in other browses. I can't find causes for this.

more useful would be how "unique" (common or uncommon) a Panopticlick visitor is among all visitors with the same user-agent.
or how "unique" among all Panopticlick visitors using the newest version at the time of their visit, such as IE8 in 2009.

But OS info is leaked.
Getting worse.
The results of tests in some sites
https://panopticlick.eff.org
Tor Browser 756
User Agent 7.36 164.27 Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Platform 1.29 2.45 Win32

Tor Browser 808
User Agent 3.57 11.86 Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
Platform 3.07 8.4 MacIntel

https://ipleak.net/
Tor Browser 756
System information
(your browser, your language, your operating system, etc)
Platform: Win32

Tor Browser 808
System information
(your browser, your language, your operating system, etc)
Platform: MacIntel

https://whoer.net/
Tor Browser 756
Headers:
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
JavaScript:
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0

Tor Browser 808
Headers:
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
JavaScript:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0

https://www.doileak.com
Tor Browser 756
Operating System: We have detected multiple OS:
Windows (Javascript, User Agent, JS UA, )
Linux (Fingerprint, )
If different OS detection methods deliver different results you may be a bot, or a human using a proxy or a virtual machine.

Tor Browser 808
Operating System: We have detected multiple OS:
Mac OS X (Javascript, )
Windows (User Agent, )
Macintosh (JS UA, )
Linux (Fingerprint, )
If different OS detection methods deliver different results you may be a bot, or a human using a proxy or a virtual machine.

https://browserleaks.com/javascript
Tor Browser 756
userAgent Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
appVersion 5.0 (Windows)
platform Win32
oscpu Windows NT 6.1

Tor Browser 808
userAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
appVersion 5.0 (Macintosh)
platform MacIntel
oscpu Intel Mac OS X 10.13

About GPU
The same as ticket 29807?/
Maybe, What you should know when supporting Multiple GPUs and Allowing OpenGL applications to utilize the integrated GPU are hints.

Additional test
Use add-on User-Agent Switcher by Alexander Schlarb
This is because general.useragent.override is deleted in about:cconfig of Tor Browser 808
https://panopticlick.eff.org
https://ipleak.net/
https://whoer.net/
https://browserleaks.com/javascript
OS leak can be avoided.

https://www.doileak.com
Operating System: We have detected multiple OS:
Windows (Javascript, User Agent, JS UA, )
Linux (Fingerprint, )
If different OS detection methods deliver different results you may be a bot, or a human using a proxy or a virtual machin

I think this loses our anonymities and is critial, due to distinguishing from others users using platforms.
panopticlick is referred to as a test site
in Frequently asked questions 5.5 How to analyse the results of online anonymity tests? in Tails.

layers.amd-switchable-gfx.enabled is true in about:config. It means Tor Browser permits accesses to Hard-Ware. I know Tor Project don't recommend the usage of Hard-Ware.

true remains in some of gfx.foo of about:config.

March 26, 2019

Permalink

I'm using Tor-Browser-808 with; 'Security Settings' -> 'Security Level' -> 'Safest'

Given I have contemplated the compromise between; Anonymity vs Security vs Speed

I wanted a safer option for http & https sites,

I wanted to include DNS hosts filtering for bad-actor sites.

https://blog.torproject.org/comment/280037#comment-280037

https://blog.torproject.org/comment/280046#comment-280046

https://blog.torproject.org/comment/280090#comment-280090

As Tails includes 'uBlock Origin'

Features and included software - https://tails.boum.org/doc/about/features/index.en.html

Included software - uBlock Origin by Raymond Hill

- https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

I have installed 'uBlock Origin' with 'Auto-update filter lists' un-Ticked

( I update at least once per week )

In about:addons -> 'uBlock Origin Preferences' -> 'Filter lists' -> 'Custom'

I added;

https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/f…

This gives me HOSTS Filtering,

and brings up the ' uBlock Origin has prevented the following page from loading '

page, and gives me the option to allow-access, temporarily-allow or deny-access

I sure others are using 'uBlock Origin' , how badly does using it break my Anonymity ?

When you install add-ons or make certain modifications, they change your browser's fingerprint away from default TBB users and make you appear more unique. Scroll up to see a comment thread about panopticlick. I don't know how badly. I make a New Identity and change the security slider instead.

March 27, 2019

Permalink

TBB 8.0.8 seems to be working for me on Debian stable but the Tor network seems to be unusually slow.

I use the onion mirrors to update my Debian system and this has been almost unusable today (March 27, 2019).

I am worried about Article 13 but hope there is no connection because legal problems might be much harder to fix than a technical issue.

Just wanted to make sure Tor Project and Debian Project keep trying to keep that invaluable service running!

March 28, 2019

Permalink

Subject #29032 new defect Tor Browser 8.0.4 stops working correctly in Virtualbox on Windows

After i tried 8.0.4 in Virtualbox i found this error.
https://blog.torproject.org/comment/278874#comment-278874

There is a bug ticket for that
https://trac.torproject.org/projects/tor/ticket/29032

I looked into it some more. And i found this.

I have tracked the problem down to a single file.
\Browser\browser\omni.ja

I installed 8.0.3 and then 8.0.8. Then i copied over every file from 8.0.8 to 8.0.3 except for this file.
\Browser\browser\omni.ja

There must have been changes to it from 8.0.3 to 8.0.4.
The problem persists since 8.0.4 up to 8.0.8.

Just for fun I tried Help,About Torbrowser,Check for Updates, then it says there are no updates availlable. Update over the Tor Browser Extension delivers the same result.
The only file unchanged from 8.0.3 is \Browser\browser\omni.ja
Only this file seems to need a fix.

Under About, Firefox version is still 60.3.0esr and Torbrowser 8.0.3. The Updater believes version numbers to be the current ones from 8.0.8. So it sees no need for an update.

Other than that everything seems to work.

What i don't know is if this method will produce additional bugs or not. This is not completely 8.0.8 so it could make this browser more recognizable than standard 8.0.8. Or it doesn't.

I renamed the files and added the version.

binary file compare with FC.EXE
FC.EXE says FC: 803_omni.ja is longer than 808_OMNI.JA

Which could mean Firefox needs things in Virtualbox that are present in 803_omni.ja but not in 808_omni.ja

803_omni.ja works and 808_omni.ja doesn't.

omni.ja looks like a compiled file, different compiler versions, settings or codelines.

There are two such files in Torbrowser
\Browser\browser\omni.ja 11MB
and
\browser\omni.ja 5MB

The file is \Browser\browser\omni.ja 11MB.
It does the text display.

The other one is fine.

Thanks for narrowing this further down. I try to help you finding the culprit this week (I wanted to do so at some point during the last 2 weeks already but I am swamped with other more high-prio work). Meanwhile if you want to go further down the rabbit hole: omni.ja files are regular .zip files. Thus, you could extract both the working one and the non-working one and do a file comparison figuring out which file change caused the problem. We probably can easily map that to the actual code commit causing your bug.

April 22, 2019

In reply to gk

Permalink

Thanks for telling me these files are zip archives. Didn't know that.

803_omni.ja has 2679 files in it.
808_omni.ja has 2678 files in it.

803_omni.ja\chrome
2524 files

808_omni.ja\chrome
2523 files

803_omni.ja\chrome\en-US\locale\browser\searchplugins
20 files

808_omni.ja\chrome\en-US\locale\browser\searchplugins
19 files

803_omni.ja\chrome\en-US\locale\browser\searchplugins\google-2018.xml
This file isn't present in 808.

A google-2018.xml file would not possibly be read every time a page is rendered, would it?

Possible errors in JavaScript files would be more plausible.

1318 .js in 803 and 808 each.

22.209.009 Bytes .js in 803_omni.ja
22.209.728 Bytes .js in 808_omni.ja

124 .jsm in 803 and 808 each.

2.366.279 Bytes .jsm in 803_omni.ja
2.374.036 Bytes .jsm in 808_omni.ja

803_omni.ja\components\EnterprisePolicies.js 14kB
808_omni.ja\components\EnterprisePolicies.js 15kB
803_omni.ja\defaults\preferences\firefox.js 81kB
808_omni.ja\defaults\preferences\firefox.js 80kB
803_omni.ja\modules\policies\Policies.jsm 32kB
808_omni.ja\modules\policies\Policies.jsm 37kB
803_omni.ja\modules\policies\PoliciesValidator.jsm 5kB
808_omni.ja\modules\policies\PoliciesValidator.jsm 6kB

April 29, 2019

In reply to gk

Permalink

PAGE 1v3
Here are the things i tried.
By preferences you mean those reachable over the gui, correct? Is it possible there are different sets of preferences, those visible in the gui and another set that isn't? With previous tests i tried to figure out where looking is worthwhile. So i found firefox.js. What i don't know is how this file really works. Searching for 'Geolocation' in the Options has turned up nothing. But it is in firefox.js. I haven't found the setting yet. But Hopefully...
Are all settings of under about:config indeed completely in firefox.js? Without exception?
Is that it?

But how is pref("geo.provider.ms-windows-location"); supposed to work if firefox.js is commented out? It only changes the setting in firefox.js if it isn't commented out.

So I tried pref("geo.provider.ms-windows-location" but no change. I see! It does nothing, it's commented out.

This must mean pref()s with // for firefox.js do nothing. In lines without // that are no comment, there we could hope to find something. Correct? It took me a while. But, how do the pref()s know in which file to change what and where the file is when path and file are in a comment.

// Migrate any existing Firefox Account data from the default profile to the
// Developer Edition profile.
The @line numbers are different. Only one is present in both versions.
@line 1432

In the Geolocation part it is this one:
@line 1356

But what i found next could be the problem.

803 firefox.js
//@line 1358 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("geo.provider.ms-windows-location", false);

808 firefox.js
// Set to false if things are really broken.
//@line 1359 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("geo.provider.ms-windows-location", true);
geo.provider.ms-windows-location is indeed a setting under about:config.

-I will try.
-That wasn't the problem.

Next:
//@line 1358 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
Means a line in firefox.js in the local directory
/var/tmp/build/firefox-858720263bed/browser/app/profile/
And pref("geo.provider.ms-windows-location", false);
is the setting in firefox.js @line 1358 of this file.
And i remember // means its a comment. So this setting doesn't do anything.

April 29, 2019

In reply to gk

Permalink

PAGE 2v3
803 firefox.js
// All the Geolocation preferences are here.
//

// Geolocation preferences for the RELEASE and "later" Beta channels.
// Some of these prefs are specified even though they are redundant; they are
// here for clarity and end-user experiments.
//@line 1351 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("geo.wifi.uri", "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%");

//@line 1356 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

//@line 1358 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("geo.provider.ms-windows-location", false);
//@line 1360 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

//@line 1364 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

//@line 1385 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

808 firefox.js
// All the Geolocation preferences are here.
//
//@line 1347 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("geo.wifi.uri", "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATIO…%");
//@line 1352 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

//@line 1356 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

// Set to false if things are really broken.
//@line 1359 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("geo.provider.ms-windows-location", true);
//@line 1361 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

//@line 1365 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

803 vs 808 line present in both versions
803 vs 308 lines only present in the respective file

It seems something was to be tried and seemed to work at first, but not in every case.
// Set to false if things are really broken. Only Present in 808, not 803.

April 29, 2019

In reply to gk

Permalink

PAGE 3v3
803 firefox.js
// Migrate any existing Firefox Account data from the default profile to the
// Developer Edition profile.
//@line 1425 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("identity.fxaccounts.migrateToDevEdition", false);
//@line 1427 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

// On GTK, we now default to showing the menubar only when alt is pressed:
//@line 1432 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

// Encrypted media extensions.
//@line 1444 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("media.eme.enabled", true);
//@line 1446 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

//@line 1450 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"
pref("media.eme.vp9-in-mp4.enabled", false);
//@line 1452 "/var/tmp/build/firefox-858720263bed/browser/app/profile/firefox.js"

808 firefox.js
// Migrate any existing Firefox Account data from the default profile to the
// Developer Edition profile.
//@line 1405 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("identity.fxaccounts.migrateToDevEdition", false);
//@line 1407 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

// On GTK, we now default to showing the menubar only when alt is pressed:
//@line 1412 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

// Encrypted media extensions.
//@line 1424 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("media.eme.enabled", true);
//@line 1426 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

//@line 1430 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"
pref("media.eme.vp9-in-mp4.enabled", false);
//@line 1432 "/var/tmp/build/firefox-57642f36905a/browser/app/profile/firefox.js"

803 vs 808 line present in both versions
803 vs 308 lines only present in the respective file

I opened both files, task-switched between them and searched for changes. That's how i found those lines. pref() commands are preferences. Are they all in firefox.js?
How do those //@line numbers work? They are all commented out with //.

:( Noticed too late there are no tags for color.

You can ignore the "//" lines, those are only comments. The pref() lines are the important ones. So, the relevant preferences to test are those that changed between 8.0.3 and 8.0.4 (or later versions that have your bug). I am not sure whether they are all exposed via about:config. But once you create them there in case they aren't available you should be able to reproduce the buggy behavior (i.e. I don't think they have to be visible right from the beginning in about:config to reproduce the bug).

May 12, 2019

In reply to gk

Permalink

I switched all boolean data types under about:config to modified but that didn't solve it. At least we now know not to look for binary switches in firefox.js.

May 12, 2019

In reply to gk

Permalink

656 ''PREF('' in firefox.js
3744 Settings in about:config
The numbers aren't the same. pref-lines from firefox.js are to be found in about:config. I searched for some and found them there. Chances are they all are. In other words firefox.js seems to be a subset of about:config. It looks to be the case. By testing all boolean data types those booleans in firefox.js are ruled out already. Integers and Strings remain.

656 preferences are a huge amount.
false 126
true 255
boolean 381
strings and integers 275 remaining

Now i finally found something i hope.

In Tor-Browser 8.0.4 the about:tor page has no text, but links are clickable. The cursor changes.

But the new page https://www.torproject.org/ from 2019 all text is shown, all links work.

About:Tor
https://postimg.cc/jLjKJzBk

torproject.org
https://postimg.cc/F7bc7Q5x

Both screenshots are from Tor-Browser 8.0.4 installed from scratch without any changes.
Only the Menu Bar is switched on. It is much easier to use this way.

My guess is now that different fonts are used. There has to be going on something more than preferences. This much i suspected from the start and here it is.

about:tor
font-family: Helvetica, Arial, sans-serif;
https://postimg.cc/TpxjFwRQ

torproject.org
font-family: "Source Sans Pro", -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
https://postimg.cc/VdzM4VRV

March 28, 2019

Permalink

My onion icon will grey out sometimes, the dropdown will still show and I can change its settings, also the circuits look ok. If I restart tbb the icon is light up again. I cant reproduce this at will, it just happens. Should I be concerned about this?

March 29, 2019

Permalink

Hi, is something going on in the Tor Network ? Since days I cant access the NEt with Tor, even the Tor Homepage gets me a connection time out. An update on the 8.0.8 Version didnt help either.
Freenet works fine.

March 29, 2019

Permalink

1) Every time I try to "upgrade" from 8.0.6 to the current 8.0.8, I am unable to access my centurylink.net mail accounts. This is very annoying. Normally I use icedove, but worry about security. Any clue as to what is happening? 2) Anything I can do to provide details of the transaction without compromising my login? 3) Is there a tor capable version of Icedove or similar? I just need to handle my e-mail. I'm not too particular, but need filtering and multiple e-mails(eg a@host, b@host, c@host), but have never studied the details of mail servers etc.. 4) Lastly and most importantly, how do I get back to 8.0.6 so things work? I can restore the whole thing but it wipes out my setup. I'm getting real tired of that. Do you have a script or similar that will "unbreak" tor given an new install directory/tarball and a broken one (linux), but leave the bookmarks, homepage etc intact? Eg `tor-unbreak new-tor-dir/ broken-tor-dir/`

Icedove is based on Thunderbird. Debian Stable de-branded Icedove back to Thunderbird on April 20, 2017.

1) Has your mail server changed anything on its end? Is it possible that Tor isn't the problem? Have they installed or changed captchas or Cloudflare things? Do you know if your accounts are accessible in your normal browser? Have you asked your mail provider? You said you use the stable Tor Browser releases, not alpha, so if the problem is definitely caused by Tor, look at the changelog for each stable Tor Browser Bundle version after 8.0.6: 8.0.7, 8.0.8. If you torify Icedove, that means you should look more closely at the changelog for each stable tor binary after the one shipped in Tor Browser Bundle 8.0.6 which was tor 0.3.5.7: tor 0.3.5.8

2) As long as the problem is not from your mail provider and you didn't change Icedove preferences since installing 8.0.6, the search for a solution can start in the tor log and version changelogs. Have you tried to access your mail account by its web interface in Tor Browser rather than by Icedove? Can you access other websites? If nothing is accessible, then it's useful to check the tor log. In "Tor Network Settings", there is a button that will copy the tor log to clipboard. If you can't access any websites in Tor Browser, copy the log, choose a pastebin website using your normal browser, and link us to your paste.

3) No, not that I know of, but take a look at Torbirdy, a Thunderbird add-on developed by Tor Project.
a) TorifyHOWTO
b) TorifyHOWTO/EMail/Thunderbird
c) torbirdy

4) Things where? If you're only talking about Tor Browser, backup or export your profile folder. Then, fully uninstall and delete the Tor Browser folder, install the other version, start Tor Browser so it sets up the default profile, close it, and copy your backups over the default files. Bookmarks, including keywords, tags, and descriptions, can be exported in a JSON or HTML file. The homepage can be saved as a bookmark or pasted in a text file.

March 30, 2019

Permalink

what is the error below describe. It occurs when I try to use a request bridge.

3/30/19, 10:40:12.839 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.

April 01, 2019

Permalink

Unresponsive script message appears. I get the following more than once a week.

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://torbutton/content/tor-circuit-display.js:145

April 01, 2019

Permalink

Is this a potential information leak ??

Go to a web-site with an embedded video element,

Expected. - black-insert in webpage, Click on the black-insert >>

black-insert & frown-face & Text : ' No video with supported format and MIME type found '

Ctrl+I (page Info) > Media Tab > highlight an embedded video element,

video auto-cues & shows a preview-image > press play, video plays.

This test was conducted with a .mp4 embedded video element.

TBB v808, *nix, NoScript (Security Level : Safest)

Are you saying the video plays in the Page Info > Media window? That would be interesting.... Other things can load in strange tabs. Searches can be done in the Add-ons tab. Some tools in the Web Developer menu can render web content. Probably other places....

April 02, 2019

Permalink

On a high sierra mac os running 10.13.6 my torbrowser security settings changed from safest to standard.

April 05, 2019

Permalink

circuit shows “--unknown--” as exit node instead of the site you are visiting:

As I've already pointed out here:

https://blog.torproject.org/new-release-tor-browser-806?page=2

(Torlion (not verified) said: - March 01, 2019)

And somebody else with a similar issue pointed out here:

https://blog.torproject.org/new-release-tor-browser-807#comments

(Critial issue/… (not verified) said: – March 21, 2019)

there is an issue concerning the exit node in the circuit.

As I've experienced this issue several times again, I had another try to find out, what causes this problem. I've found a way to reproduce the issue and how to solve the problem. It's a bit difficult to explain, that's why I'll try by giving an example:

Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page)

Try the following changes concerning third-party cookies. On the left you see the setting, after the dashes you see the result of the exit node shown in the circuit. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data” and
set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org
“From visited” – exit node is ok – wikipedia.org
“Always” – exit node is not ok “--unknown--”
“From visited” – exit node is not ok “--unknown--”

If you change the settings from “Never” to “From visited”, the circuit shows the correct exit node. If you change the settings from “Always” back to “From visited” you will get the “--unknown--” issue.

Stay on Wikipedia (wikipedia.org) and try the following. After changing the settings, you have to refresh the page or click on “New Circuit for this Site”:

First Step:

Set the following for third-party cookies:

“Never” – exit node is ok – wikipedia.org

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is ok – says “ wikipedia.org”

Second Step:

Go on “options” - Privacy and Security” - “Accept third-party cookies and site data”.

Set the following for third-party cookies:

“Always” – not ok – “--unknown--”

Now, choose “Block cookies and site data (may cause websites to break)”

Go back to wikipedia.org and refresh page or click on “New Circuit for this Site”

Result: exit node in circuit is not ok – says “--unknown--”

In both steps you have “Block cookies and site data (may cause websites to break)” and “Accept third-party cookies and site data Never” (greyed out). So it seems to be identical, however, setting “Always” for third-party cookies and then clicking on “ Block cookies and site data (may cause websites to break)” will cause the “--unknown--” issue, whereas setting “Never” for third-party cookies and then clicking on “Block cookies and site data (may cause websites to break)”will not cause the “--unknown--” issue”, and in the last case you will see the correct exit node in the circuit (which is “wikipedia.org_” in my example).

Go on options and set “Accept third-party cookies and site data Never”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data Always”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is circuit is not ok – says “--unknown--”

Go on options and set “Accept third-party cookies and site data “Never” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is ok – says “wikipedia.org”

Go on options and set “Accept third-party cookies and site data “Always” and then click on “Block cookies and site data (may cause websites to break)”. Close Tor Browser and open again. Go on Wikipedia (https://en.wikipedia.org/wiki/Main_Page). Check circuit. Exit node is not ok – says “--unknown--”

At this point the user gets stucked, because when having a look into the Options now, under “Privacy & Security” and “Cookies and Site Data”, you will see that cookies are blocked, but also the greyed out “Accept third-party cookies and site data “Never”. Now click again on “Accept third-party cookies and site data (recommended)“ and the greyed out “Never” changes into a black “Always”.

Solution:

Go on “Options” - “Privacy & Security” and “Cookies and Site Data”, change the black “Always” into “Never”. Go back to the page, where you have experienced the “--unknown--” issue (in my example “Wikipedia”), refresh the page or click on “New Circuit for this Site” and the “--unknown--” issue is gone. In my example you will see “wikipedia.org” again.

If you now wish to block cookies again, make sure you have set “Accept third-party cookies and site data “Never” and NOT “Always”. Even if you close and reopen Tor Browser you won't get the “--unknown” issue any longer.

I really can't tell you why changing the settings for cookies influences the circuit. Maybe the developers of Tor Browser can find out what is all behind this or maybe one of you computer techies. I'm sorry for not having the technical knowledge to find out what is wrong. The only thing possible for me was to find out that quite obviously the settings for cookies changes something in the circuit. I hope I could help nevertheless.

April 05, 2019

Permalink

Hello again. I sure wish someone could figure out why the Tor browser bookmark function does not work with Windows 10, which is on my desktop. No blue star, no nothing. It's like the function is deactivated. My laptop runs Windows 7 and bookmarking works with every Tor version. Thanks.

It sounds like a problem in Firefox, not just Tor Browser. It could be that you mistakenly clicked something that removed the icon. Do you see an icon with 3 dots "..." at the end of the address bar? Hover your mouse cursor on it, and a tooltip should say, "Page actions". Click on the icon, and you'll see one of the items in there says, "Bookmark this page". You can click that to add or edit the bookmark. To show the blue star icon, right-click on "Bookmark this page" in that menu, and another popup will say Add to/Remove from Address Bar. Click that.

It's too hidden, and I couldn't find a preference anywhere else to control it. Solutions around the web reference old versions of Firefox that had the star separated from the address bar.

April 05, 2019

Permalink

TOR 8.0.8 on diff. Devices and TOR-Installs (Entry Guards - NODES) gives me that (only one Example) - of many Packets like this (Observed from an LAN-LINE)

PAKET 1482

SOURCE 192.168.1.75
DESTIN 192.42.115.102
LENGTH 590
PROTOC TCPROS
INFORM [ROS Msg] [Malformed Packet]

- TCP based Robot Operating System protocol (TCPROS)
- Message Length: 66326

---------------------------------------------------------------------------------

PAKET 2182

SOURCE 192.42.115.102
DESTIN 192.168.1.75
LENGTH 1514
PROTOC TCPROS
INFORM [ROS Conn] Metadata: ........ (Cryptic)

- TCP based Robot Operating System protocol (TCPROS)
- Header Length: 197398
- Header Content: 39 02 00 00 35 .....
- Field: 5\003\003\305A\301 .....
- Field Length: 569
- Field Content: 5\003\003\305A\301\3131Y .....
- Name: 5\003\003\305A\301\3131Y\243>K%W .....
- Value: \355\017\352jKp\366\302\324\301y .....

---------------------------------------------------------------------------------

April 07, 2019

Permalink

hi
since this version, i barely can launch it, it takes forever to connect and open the homepage, than no navigation.
this happens with or without VPN

using Mojave, never had this problem before

Check your Tor log for warnings or errors.
onion icon --> Tor Network Settings --> Copy Tor Log to Clipboard.

Check your guard node (the first node in your circuit) for problems. Search for its IP address or name or fingerprint (long hexadecimal string of characters) in Tor Metrics Relay Search.
https://metrics.torproject.org/rs.html
Try this thread if relay search shows problems:
https://blog.torproject.org/comment/280436#comment-280436

April 11, 2019

Permalink

I am always getting the same bridge when I make a request "request a bridge from the torproject.org" it XXX.XX.XX.XX:443. and I now only get one bridge instead of 3. Is this normal?

Well, you should not get different bridges as otherwise an attacker could just try over and over again and enumerate all bridges and block them easily. I am not sure why you get one. It could be that there are not more with your requirements available (currently).

I think gk didn't recognize that when you said, "Request a bridge from torproject.org", you were referencing a radio button in TorButton > Tor Network Settings, not on the BridgeDB website. On the bridge selection page of https://bridges.torproject.org/ are advanced options for you to select the type of pluggable transport and IP version 6. The requirements gk meant are probably those options.

May 04, 2019

In reply to gk

Permalink

Just to elaborate the transport issue. With "Tor censored in my country" selected and I choose a "request a bridge from torproject" I always get the same bridge IP and port and since the port is not open I will state IP and port which is XX.XX.XX.XX:PPPPP etc....

this port is closed and will never complete a circuit and this started happening about 1 month ago. I have tried it on different networks and the same bridge appears.

"tormac" has posted at least three bridges in public in different blog posts. Stop. We really need to give people a tool button or guide to convert them to a hashed fingerprint.

If python is installed, type on the command line:
python -c 'import binascii; import hashlib; fingerprint = "0123456789ABCDEF0123456789ABCDEF01234567"; print("Hashed fingerprint: " + hashlib.sha1(binascii.a2b_hex(fingerprint)).hexdigest().upper())'
Replace 0123... with the fingerprint. It would be better if it was built-in TorButton.

> the port is not open

Where? On your local firewalls, or on the bridge server? Ports 80 and 443 on a destination server are the most common ports allowed for outgoing traffic from clients (you) to internet destinations because they are used by HTTP/S website traffic. You said the bridge listens on port 443. Is your local firewall blocking the bridge IP or port? Either reconfigure your firewall, or enable "This computer goes through a firewall", an option under where you set the bridge option. If you are in China, select the "meek-azure" pluggable transport option, not obs4, when you request bridges.

Find out if the bridge is down by going on relay search and pasting the bridge's fingerprint there. For bridges, you can't search by IP, only hashed fingerprint. Searching for a bridge by IP will always return "not found". Other nodes (guard, middle relay, exit) can be searched by IP, but bridges cannot. The fingerprint is a long hexadecimal string in the bridge line. Keep the fingerprint a secret.
https://metrics.torproject.org/rs.html
https://2019.www.torproject.org/docs/bridges.html.en#Understanding

If your firewall is not blocking the IPs or ports, and the bridge is online, then the bridge might be misconfigured or something unknown between you and the bridge might be interfering. First, investigate the options you can control and information that is available.

April 12, 2019

Permalink

I thought that tor was a background app and I could run safari, Apple mail and Verizon outlook on it.
Please some fill me in

Well, the Tor daemon is a background app which you can use. However the Tor Project does not provide binaries for those. However, I assume there are some available for macOS. You then need to configure the apps that you want to use Tor with, so they start sending the traffic over it instead of connecting directly.

The Tor Browser Bundle is what most people use. It's a specially configured Firefox that comes with the tor daemon. To the apps you run, the tor daemon that runs in the background looks like a SOCKS5 proxy but without UDP. As for Tor Browser, you can think of Tor Browser like an extremely secure and private Safari.

For Safari, first review warnings. To browse websites over Tor, it's better to use Tor Browser than Safari over Tor.

The idea is to torify the apps you want to use over tor. The main thing is to change the proxy settings in the app to point to the tor daemon's listening address:port which is 127.0.0.1:9050 in the standalone daemon or 127.0.0.1:9150 in the Tor Browser Bundle. Read the torify documentation because most apps are not configured securely, and some cannot be configured to be secure.

After you read the general torify introduction, read the warning that some mail services lock out Tor users. You can start to torify Apple Mail and Outlook on the Tor and Email page. Make sure client-server traffic is encrypted by StartTLS (STLS), POP3S, or IMAPS on ports 993 or 995. To use POP3 or IMAP over Tor, it's better to use Thunderbird than closed-source proprietary apps over Tor. It's easier to use a mail website in Tor Browser than POP3 or IMAP apps over Tor.

April 24, 2019

Permalink

I cannot update to 8.0.8 on Windows Vista, it always says you need Windows 7 !! So just carry on using 7.5.6 !

Yes, security support for Windows Vista is long gone and Mozilla therefore does not support it anymore either which is why we followed them along. Please update your operating system as Tor Browser might not be of much help in protecting you otherwise.

April 26, 2019

Permalink

8.0.x
Until version 7.5.6 it was possible to install Tor browser on Win81 (64bit) host and run it OR
run the same installation from a VMware Ws Win81 guest via a win share.
Like a portable installation one could run from client or from host.
From Tor browser 8.0 on this is no longer possible.

Running Tor browser installed in a Win81 VMware guest OR running Tor browser in a Win81 guest with host-installed files:
When closing the prog RAM consuming is increasing and finally Torbrowser crashes. Same problems with some 7.x versions.

No problems with Tor browser version 7.5.6 (32bit).
It works installed on a host, installed on a guest or it works from Ws Win81 guest with an installation on a host. Without any problems.

The tested Tor browser were unmodified, no changes in about:config, no add-ons.

Apart from that problem, the size of 'place.sqlite' has decreased.
Are there any changes in the db structure?

I have not checked whether Mozilla changed anything in their database scheme, maybe.

You said that some 7.x versions were affected by a similar issue in your setup. Could you figure out which version was the last one that has that problem for you? Maybe that could give us some clue as to what is happening with Tor Browser 8 for you (see https://archive.torproject.org/tor-package-archive/torbrowser/ for older bundles).

Are you able to run 64bit Windows bundles? If so, does the same happen with those bundles or is that a 32bit problem?

April 27, 2019

Permalink

#define Delta(value, base_multiplier, time_elapsed) ((++value * base_multiplier) / time_elapsed)

JK amateurish folly,

Was wondering if you wonderful concerned humanitarians would update your web-servers' security to transport layer security version 1.3, with SHA384, and a 256 bit key?

April 29, 2019

In reply to gk

Permalink

fwiw, the #define line is not in tor-0.3.5.8 source code. As for TLS, click the green padlock, ">" button, "More Information" brings up the Page Info window that contains the tabs: General, Media, Permissions, Security. On www. and blog. the Security tab bottom heading Technical Details are (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2). I don't know if they were talking about those servers or others.

April 29, 2019

Permalink

Why does Tor update when I specifically and repeatedly decline? The new updates breaks things and then I have to restore from tarball and loose many links. This is *very* annoying. If I say, no, I mean no.

I think it depends on how you say "no". If you start Tor Browser and then go into settings and say you don't want to have updates to this Tor Browser instance then this is already too late as the update mechanism starts right at start-up time.

"Restart later" doesn't mean "No". Read the window carefully. You can change automatic updates in Preferences, but I don't know how to stop it the first time after installing.

I have to restore from tarball and [lose] many links

In case you aren't able to solve the problem... Before you restore, you can try to recover bookmarks by backing up these files from the tor-browser folder:
.\Browser\TorBrowser\Data\Browser\profile.default\bookmarks.html
.\Browser\TorBrowser\Data\Browser\profile.default\bookmarkbackups

The profile folder is structured as it is in Firefox, so you also can search the web for how to backup, restore, export, and import bookmarks in Firefox.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup…
https://support.mozilla.org/en-US/kb/restore-bookmarks-from-backup-or-m…
http://kb.mozillazine.org/Backing_up_and_restoring_bookmarks_-_Firefox

Thanks, I'll write a script to restore the bookmarks. I've been looking into that a little, but so many things have changed in the past five years (I've been offline that long). But preventing the updates is best. Let me know how to hold my jaw just right so that it understands "no", and it would be appreciated. It seems that if a new release is made, then I have trouble. If it is old, it may work. With the old Tor I can access my centurylink e-mail, until Tor updates, then it breaks. Actually, if the updated Tor worked on my e-mail *that* would be best. Right now the account is messed up and I can't use Tor at all, and have to use Mozilla Thunderbird in the clear. --Iyyov

May 01, 2019

Permalink

I move the profile of the standard Firefox before I start Tor. For the first time, I suddenly had a request from the standard Firefox 'where is the profile'. The Standard Firefox start was hidden. It happened already for the second time. If the profile had not moved, it wouldn't have been noticed. A short initialized standard Firefox, which maybe sends a ping to an address and then immediately closed again. No idea how the standard Firefox was started, did not happen on the same website. Maybe a Html5 script inside one or more websites infiltrated by 'Mad Max'. Hopefully not implemented in Tor, but then surely without Torproject's knowledge. In any case, that happened twice now. The user would be finished.

May 03, 2019

Permalink

Tor Browser all of a sudden disabled all the extensions, after I opened it today.

NoScript could not be verified for use in Tor Browser and has been disabled
NoScript 10.6.1 (disabled)

P.S. why does Tor Browser allow all the extensions/add-ons to update automatically?

May 03, 2019

Permalink

Noscript addon just disabled itself in Tor Browser for Linux. It's showing under Legacy Extensions in Addons Manager, and says in red "Noscript could not be verified for use in Tor Browser and has been disabled".

May 03, 2019

Permalink

Tor browser 8.0.6
Functions that were working yesterday quit working today.

"These extensions do not meet current Tor Browser standards so they have been deactivated."
"NoScript could not be verified for use in Tor Browser and has been disabled."

The FAQ said there's no backdoor in Tor Browser.

May 03, 2019

Permalink

After opening the TorBrowser, I get the following message: "NoScript could not be verified for use in the Torbrowser and has been disabled."

I`m using macOS Mojave 10.14.4

May 03, 2019

Permalink

first i just checked for extension updates and some extensions got disabled,
then i did a fresh install with TBB 808 and the first i saw:
NoScript could not be verified for use in Tor Browser and has been disabled.

May 04, 2019

Permalink

if your add-ons are disabled now > about:config > xpinstall.signatures.required ; false
TBB is phoning home, isn't it?

[after the message is sent this blog is in a reload loop]

May 04, 2019

Permalink

Bad news. This looks like a serious security problem. Mozilla has disabled Noscript 10.2.4 in TBB 8.0.8 today; "Noscript could not be verified for use in Tor Browser and has been disabled" (found in hamburger menu under Add-ons>Extensions>Show legacy extensions). The Noscript button has disappeared from the browser. I've reinstalled TBB 8.0.8, but get the same result. As a consequence, the security slider is not protecting. It slides, but scripts are allowed on "Safest". Yikes. I hope this can be fixed with Giorgio Maone’s help, soon. Thank you.

May 04, 2019

Permalink

Noscript has been deactivated since 4-May-2019 in Tor Browser. Some said it was a bug and will be fixed by Firefox. Is there any comment and solution for this problem?

May 04, 2019

Permalink

My NoScript add on was disabled by tor for "no reason", and when i try to reinstall it it says it cant cause its corrupt... Any solution ? i'm not an expert in this though

May 04, 2019

Permalink

//https://habr.com/ru/post/450478/
//https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disab…
//https://www.ghacks.net/2015/06/19/how-to-disable-the-firefox-40-add-on-…
//https://www.opennet.ru/opennews/art.shtml?num=50623
//https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Distribution#S…
//https://www.reddit.com/r/firefox/comments/bkcjoa/all_of_my_addons_got_d…
user_pref("xpinstall.signatures.required", false);

alegedly - it works only for Linux FF.... My TBB is on windows - thus the solution does not help.

Seems like Mozilla almost eliminated privacy for many Tor (TBB) users. How such situations may

be avoided in the future? Is it the extra attacking vector of TBB-users?

May 04, 2019

Permalink

# User Preferences

// https://tor.stackexchange.com/questions/12660/tor-browser-updates-itsel…
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
// https://2019.www.torproject.org/docs/torbutton/en/design/
user_pref("extensions.update.enabled", false);
user_pref("extensions.update.autoUpdateDefault", false);

Now I see why old instances\installations of TBB works - I used (temporary for sure!!!) disabled updates. I guess you may use it as workaround, meanwhile Mozilla working on "Bug 1548973 (armagadd-on-2.0)".

P.S. Are all armagedons heppen on Friday->Sutterday?

May 04, 2019

Permalink

Today NoScript 10.6.1 stops working, Maximum protection for your browser: NoScript allows active content only for trusted domains of your choice to prevent exploitation.

May 04, 2019

Permalink

I forgot to clarify in my comment yesterday, that TB [Tor Browser] had opened and worked fine for about 4-5 minutes, and then all of a sudden all the extensions were disabled. Subsequent restarts of the browser haven't fixed it.

So I made a clean install of TB in a separate folder & still the same thing happened! As soon as I started TB, it disabled all the extensions again, even NoScript. Just shows an error: NoScript could not be verified for use in Tor Browser and has been disabled.

Well, so then I tried opening TB on my Android device [build 8.5a11, I believe] and the exact same thing happened [all the extensions were disabled].

I'm stumped. As I do not know what to do next...

May 04, 2019

Permalink

noscript 10.2.4 dont work tor browser 8.0.8

An error message in the plugin

NoScript could not be verified for use in Tor Browser and has been disabled

NoScript 10.2.4 (Disabled)

May 04, 2019

Permalink

https://www.reddit.com/r/linux/comments/bkgihr/expired_certificate_disa… <- armagaddon 2.0

Suddenly, every add-on in Firefox broke because of an expired cert.

Tor Browser 8.0.8 is also affected. Disabling uMatrix and NoScript (*not* loading and executing stuff should be core functionality of any browser, not add on, anyway!!!) rips a huge hole into browser security. Seriously, please considerr ditching Mozilla in the short to mid term, they love antifeatures and this was the last straw.

May 05, 2019

Permalink

Hi. Only my laptop has audio, and it is a major pain to type on, so I'm trying to use X11 to display on my main desktop from the laptop. This works okay, except no audio. I've tried running Tor on the laptop and displaying on the desktop, no joy. I've tried running Tor on the Desktop and displaying on the laptop, no joy. Running both on the laptop I get audio. However, the laptop starts overheating and will shutdown if I let the temperature get too hot, especially if playing a video too. (No money for new equipment.) In theory, running Tor on the laptop and displaying on X11 on the desktop should provide audio. Is there a workaround for this? It is a major pain. (Yes, installing an audio card in the desktop/router would will work once somebody throws some money my way. Until then.....) Any ideas will be appreciated. One more thing. The "Troubleshooting" page says the audio is "remote" when running on the laptop, but displaying on the desktop. When both are on laptop, the Media doesn't say "remote" but displays the audio chip of my laptop. I'm a retired Technician, but have been offline for about 5 years. I'm retired. Thanks in advance.
--Iyyov

This is Tor Project, not audio X11 project. Your comment was accepted, so I will answer, but in the future ask elsewhere like on stackexchange or your OS help sites.

Get a male-male audio cable and plug the audio line-out of your desktop into the mic/line-in on your laptop. Then, configure laptop to play audio from laptop mic/line-in. Play video on desktop, and send audio to laptop. If desktop has no audio line-out port, web search how to stream audio on a LAN. Maybe IceCast or obsproject.com or Music Player Daemon. If desktop cannot generate audio, laptop by itself is best choice. Select low resolution video files. X11 is video only. PulseAudio Volume Control and ALSA are audio only. Good luck.

May 17, 2019

Permalink

I can't seem to access anything with .onion. Does any one have any ideas? thanks Steve